import sys
import os
import time

sig_list = ["SetRenameInformationFile", "Process Start", "Process Create"]

def doLog(msg):
	print "[%s] %s" % (time.ctime(), msg)

def isReport(filename):
	if not os.path.exists(filename):
		doLog(filename + "does not exist")
		return False
	elif os.path.isdir(filename):
			doLog(filename + "is a dir not a file")
			return False
	return True

def log_filter(filename):
	if not isReport(filename):
		return None
	output_name = filename[:-4] + "_filtered" + ".txt"
	with open(filename) as rpt, open(output_name, "w") as out:
		out.write(rpt.readline())
		process_list = []
		for line in rpt:
			flag = False
			
			info = line.split(",")
			for i in range(len(info)):
				info[i] = info[i].strip('"')
				
			if info[1] == "malware.exe" or info[2] in process_list:
				flag = True
				if info[3] == "Process Create" and info[5] == "SUCCESS":
					pid = info[6].split()[1]
					os.system("taskkill /pid " + pid)
					process_list.append(pid)
					doLog("Create Process: " + os.path.basename(info[4]))
				else:
					flag = not info[3].startswith("IRP_MJ_")\
						and not info[3].startswith("FASTIO_")\
						and not info[5].startswith("FAST IO")\
						and not info[4].endswith("pagefile.sys")\
						and not info[4].endswith("$Mft")\
						and not info[4].endswith("$MftMirr")\
						and not info[4].endswith("$LogFile")\
						and not info[4].endswith("$Volume")\
						and not info[4].endswith("$AttrDef")\
						and not info[4].endswith("$Root")\
						and not info[4].endswith("$Bitmap")\
						and not info[4].endswith("$Boot")\
						and not info[4].endswith("$BadClus")\
						and not info[4].endswith("$Secure")\
						and not info[4].endswith("$UpCase")\
						and not info[4].endswith("$Extend")\
						and not info[3] == "Process Profiling"
						
			if flag:
				out.write(line)
	return output_name
	
def extract_signature(filename):
	if not isReport(filename):
		return None
	output_name = filename[:-4] + "_signature" + ".txt"
	with open(filename) as rpt, open(output_name, "w") as out:
		out.write(rpt.readline())
		writeFileList = []
		# readFileList = []
		regList = []
		for line in rpt:
			flag = False
			
			info = line.split(",")
			for i in range(len(info)):
				info[i] = info[i].strip('"')
				
			if info[3] == "WriteFile":
				if not (info[2], info[4]) in writeFileList:
					writeFileList.append((info[2], info[4]))
					flag = True
			# elif info[3] == "ReadFile":
				# if not (info[2], info[4]) in readFileList:
					# readFileList.append((info[2], info[4]))
					# flag = True
			if info[3] == "RegSetValue":
				if not (info[2], info[4]) in regList:
					regList.append((info[2], info[4]))
					flag = True
			elif info[3] in sig_list:
				flag = True
				
			if flag:
				out.write(line)
	return output_name

def main(filename):
	doLog("Filtering..")
	extract_signature(filter(filename))
	doLog("Finish filter")

def usage():
	print "Usage:", sys.argv[0], "<file name>"
	print

if __name__ == "__main__":
	if len(sys.argv) != 2:
		usage()
		sys.exit(0)
	else:
		main(sys.argv[1])
